> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configuration of single sign-on in Microsoft Entra ID

export const provider_1 = "Microsoft Entra ID"

export const entity_1 = "application"

export const entity_0 = "application"

export const provider_0 = "Microsoft Entra ID"

In this tutorial, you'll learn to configure SSO in Nebius AI Cloud with [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/fundamentals/whatis).

To configure SSO, you need access to two systems:

* Nebius AI Cloud, where you create and configure a federation.
* {provider_1}, where you create an application, make it available to the users for whom you configure SSO, and connect the {entity_1} to the federation.

After the federation and {entity_1} are set up, users can sign in to Nebius AI Cloud by using their {provider_1} credentials.

## Costs

This tutorial doesn't include any chargeable resources. The infrastructure you create is free of charge.

## Prerequisites

1. [Create a Microsoft Entra account](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount\&WT.mc_id=A261C142F). You can create it for free.
2. Make sure that this account has at least the [Cloud Application Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#cloud-application-administrator) and [User Administrator](https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference#user-administrator) roles. Otherwise, [assign them](https://learn.microsoft.com/en-us/entra/fundamentals/users-assign-role-azure-portal#assign-roles).
3. Make sure that your Nebius AI Cloud account is [added](/iam/authorization/groups/members) to the tenant's group of administrators. To check this, in the [web console](https://console.nebius.com), go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users**.
4. If you prefer not to use the [web console](https://console.nebius.com), prepare one of the other available Nebius AI Cloud interfaces:

   <Tabs group="interfaces">
     <Tab title="CLI">
       [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI.
     </Tab>

     <Tab title="Terraform">
       [Install and configure](/terraform-provider/quickstart) the Nebius AI Cloud provider for Terraform.
     </Tab>
   </Tabs>

## Steps

### Create an application in Microsoft Entra ID

1. Sign in to the [Microsoft Entra admin center](https://entra.microsoft.com/).

2. [Create an enterprise application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal#add-an-enterprise-application):

   1. In the **Browse Microsoft Entra Gallery** window, click the **Create your own application** button.
   2. In the window that opens, specify the application name and select the option **Integrate any other application you don't find in the gallery (Non-gallery)**.

3. [Create and assign user accounts](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-assign-users) to the application.

4. [Enable SSO](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/add-application-portal-setup-sso#enable-single-sign-on) for the application. On the **SAML-based Sign-on** page, in the **Basic SAML Configuration** section specify the following parameters:

   * **Identifier (Entity ID)**: <code>{`https://$auth.eu.nebius.com/saml2/rp/federation-id`}</code>.
   * **Reply URL (Assertion Consumer Service URL)**: <code>{`https://$auth.nebius.com/login/saml2/provider/federation-id`}</code>.

   <Note>
     The two values use different domain names: <code>auth.eu.nebius.com</code> and <code>auth.nebius.com</code>.
   </Note>

   `federation-id` is used temporarily until you [create a federation](#create-a-federation-in-nebius-ai-cloud) and get its ID. After that, replace `federation-id` with the actual value.

### Download the application certificate from Microsoft Entra

In the Microsoft Entra admin center, download an autogenerated base64 certificate. Find the certificate in the **Manage** → **Single sign-on** section, in the **Certificate (Base64)** field.

For more information, see the [Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on#autogenerated-certificate-for-gallery-and-non-gallery-applications) documentation.

### Create a federation in Nebius AI Cloud

1. To create a federation:

   <Tabs group="interfaces">
     <Tab title="Web console">
       1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.

       2. Click **Create entity** and select **Federation**.

       3. Click the **Manual mode** toggle and enter your federation name.

       4. Specify the following parameters under **Identity provider (IdP)**:

          * **SSO URL**: Login URL from Microsoft Entra ID.
          * **Issuer**: Microsoft Entra Identifier.

          To get these values:

          1. Open the application page in the Microsoft Entra admin center.
          2. Go to the **Manage** → **Single sign-on** section.
          3. Copy the values of the **Login URL** and **Microsoft Entra Identifier** fields.

       5. Enter a name for your certificate.

       6. Upload the certificate file that you obtained in the [previous step](#download-the-application-certificate-from-microsoft-entra) and click **Create federation**.

          Copy the ID of the newly created federation.
     </Tab>

     <Tab title="CLI">
       1. Run the following command:

          ```bash theme={null}
          nebius iam federation create \
            --parent-id <tenant_ID> \
            --name <federation_name> \
            --user-account-auto-creation=true \
            --saml-settings-sso-url <Login_URL> \
            --saml-settings-idp-issuer <Identity_Provider_Identifier>
          ```

          The command contains the following parameters:

          * `--parent-id`: [Tenant ID](/iam/get-tenants#cli).

          * `--name`: The federation name.

          * `--user-account-auto-creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `--saml-settings-sso-url`: Login URL from Microsoft Entra ID.

          * `--saml-settings-idp-issuer`: Microsoft Entra Identifier.

            To get values for `--saml-settings-sso-url` and `--saml-settings-idp-issuer`:

            1. Open the application page in the Microsoft Entra admin center.
            2. Go to the **Manage** → **Single sign-on** section.
            3. Copy the values of the **Login URL** and **Microsoft Entra Identifier** fields.

       2. Copy and save the federation ID. It is returned in the `metadata.id` field of the command output.
     </Tab>

     <Tab title="Terraform">
       1. Create the following configuration file:

          ```hcl theme={null}
          resource "nebius_iam_v1_federation" "<federation_name>" {
          name                       = "<federation_name>"
          parent_id                  = "<tenant_ID>"
          user_account_auto_creation = true
          saml_settings = {
             sso_url    = "<login_URL>"
             idp_issuer = "<Microsoft_Entra_Identifier>"
          }
          }

          output "federation_id" {
          description = "ID of the created federation"
          value = nebius_iam_v1_federation.<federation_name>.id
          }
          ```

          The file contains a resource with federation settings and an output that returns the federation ID. The resource contains the following parameters:

          * `name`: The federation name.

          * `parent_id`: [Tenant ID](/iam/get-tenants).

          * `user_account_auto_creation`: When the user signs in to Nebius AI Cloud via SSO, their account is automatically created in the tenant with the configured federation.

          * `saml_settings.sso_url`: Login URL from Microsoft Entra ID.

          * `saml_settings.idp_issuer`: Microsoft Entra Identifier.

            To get values for `saml_settings.sso_url` and `saml_settings.idp_issuer`:

            1. Open the application page in the Microsoft Entra admin center.
            2. Go to the **Manage** → **Single sign-on** section.
            3. Copy the values of the **Login URL** and **Microsoft Entra Identifier** fields.

       2. Check that the configuration is correct:
          ```bash theme={null}
          terraform validate
          ```

       3. Apply the changes:
          ```bash theme={null}
          terraform apply
          ```

       4. Copy and save the federation ID. It is returned in the `terraform apply` output:

          ```text theme={null}
          Outputs:

          federation_id = "federation-e00*******"
          ```
     </Tab>
   </Tabs>

2. Change the SAML settings of the application in the Microsoft Entra admin center:

   1. Open the application page.
   2. Go to the **Manage** → **Single sign-on** section.
   3. In the fields **Identifier (Entity ID)** and **Reply URL (Assertion Consumer Service URL)**, replace the `federation-id` part of the values with the copied federation ID.

### Add a certificate to the federation

<Note>
  If you used the [web console](https://console.nebius.com) to create a federation, you can skip this part and proceed to the [next step](#log-in-to-nebius-ai-cloud).
</Note>

Add the certificate you obtained in the [previous step](#download-the-application-certificate-from-microsoft-entra) to the federation:

<Tabs group="interfaces">
  <Tab title="CLI">
    1. Prepare the `federation-cert.json` file:

       ```json theme={null}
       {
         "metadata": {
           "parent_id": "<federation_ID>"
         },
         "spec": {
           "description": "certificate for a federation",
           "data": "-----BEGIN CERTIFICATE-----\n<certificate_body>\n-----END CERTIFICATE-----\n"
         }
       }
       ```

       Specify the certificate body from the downloaded file and the federation ID.

       In this file, the certificate body is split into several lines. Paste it as a single line in `federation-cert.json`.
    2. Apply the certificate file:

       ```bash theme={null}
       nebius iam federation-certificate create --file federation-cert.json
       ```
  </Tab>

  <Tab title="Terraform">
    1. Prepare the certificate file in the same directory where you [store](#create-a-federation-in-nebius-ai-cloud) the `nebius_iam_v1_federation` resource:
       ```hcl theme={null}
       resource "nebius_iam_v1_federation_certificate" "certificate-for-<federation_name>" {
         parent_id   = "<federation_ID>"
         name        = "certificate"
         data        = <<EOT
       -----BEGIN CERTIFICATE-----
       <certificate_body>
       -----END CERTIFICATE-----
       EOT
         description = "certificate for a federation"
         depends_on = [
           nebius_iam_v1_federation.<federation_name>
         ]
       }
       ```
       Specify the following:
       * Federation name
       * Federation ID
       * Certificate body from the downloaded file
    2. Check that the configuration is correct:
       ```bash theme={null}
       terraform validate
       ```
    3. Apply the changes:
       ```bash theme={null}
       terraform apply
       ```
  </Tab>
</Tabs>

### Log in to Nebius AI Cloud

1. Open the [Nebius AI Cloud web console](https://console.nebius.com).
2. Click **Get started with SSO**.
3. Enter the federation ID and click **Sign in**.
4. In the **Contact details** window that opens:

   1. Specify your name and email.
   2. Confirm that you agree with the [Nebius AI Cloud Terms of Use](/legal/terms-of-use).
   3. Click **Continue**.

A successful login means that you have correctly configured the federation and {entity_0} in Nebius AI Cloud and {provider_0}.

### Assign administrator rights for the new account

After your first login to the new federation, a new user account is created in the tenant.

To complete the setup and grant the new user account access to the platform, add it to a group with admin rights in Nebius AI Cloud:

1. Log out of your new account in the [web console](https://console.nebius.com).
2. Log in to your main Nebius AI Cloud account.
3. Go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM** → **Users** and [add](../authorization/groups/members) the new user to the relevant admin group.